 Hello everyone and thank you for joining us today on this CNCF webinar. My name is Gal and I work at Armo as a product manager. I want to tell you a little bit about Armo. Armo was founded in 2019 with the purpose of building an open-source Kubernetes security product made for developers. We're based instead of Eve and we hold 30 team members at this point and lately we successfully summed around a funding for $30 million by Tiger Global, HyperWise and Pitango first. And about a year ago, we launched Cubescape as an open-source tool and it is now one of the fastest growing Kubernetes security open-source projects on GitHub. With around 6,000 stars, tens of thousands of users and over 10,000 Kubernetes clusters already scanned and we're still counting. Now Cubescape accompanies the software development lifecycle from dev to production and help you overcome the complexity of Kubernetes security. Cubescape offers not only the CI CD face-scanning but also continuously scans your environment so if anything changes, you'll be aware of that. And Cubescape is a multi-dimensional Kubernetes single pane of glass for everything related to misconfiguration scanning, security analysis and compliance, risk scoring, image vulnerabilities and the Armo Visualizer. The single pane of glass is actually taking the things that could go wrong and collecting them together to enable you to enforce and define your environment based on the best practices and pre-built frameworks that we provide. It enables you to detect and prevent drifts continuously and of course we also suggest the remediation needed. So we are talking about the different configurations of Kubernetes and the cluster itself, the configuration of your workloads, the actual user activity, the vulnerability assessment, the different RBAC role-based access controls that exist in your cluster. And finally we're taking all of that against the compliance benchmark to assess the complete posture of your environment. Now Cubescape is an open source project, therefore you can access the GitHub repo page, everything you need and want to know about Cubescape is right there. Everything is transparent and I welcome you to head over after this webinar and check it out. Now let's see Cubescape in action. The deployment is very easy. You head over to our GitHub and start by running this line of code. This will install download and install Cubescape. It's running this install script and it's running the latest version of Cubescape. You can run it and two minutes later you get results with this command line. This is the Cubescapes can command and you can see that in two minutes you get this table right here. You can see the severity of the controls that failed or were passed, the name of the control with a little bit of description, how many resources failed on this control and the overall risk score. Now you can continue to operate Cubescape using the CLI. It's flexible. You can run various tests and scans and you can read the documentation to get even more information on how to use it. But there's another option of using the Cloud UI version which is a much more visual way to operate and work with Cubescape to bring you more value when talking about configuration drifts, history, etc. So after your first scan you head over to this page, to the Cubescape page and you can see this information regarding your environment. What we see here is first of all the dashboard. This is where we aggregate all the important information regarding your environment that you should be aware of. You can see the different clusters that might have the highest severity scores. You can see the history, drifts and trends and you can see the top five failed controls and the top five CVEs that we found in your clusters, in your environment. Going into configuration scanning, let's head over there. This is where you can choose which cluster you want to focus on. You can see it's a multi-cluster environment. So you can choose your cluster and you can see right here the different types of frameworks that we use. You can also build your own framework right here and customize it according to your needs and you can pick and choose which controls you want to use and which you don't. That way you get the most relevant framework to your environment. But you can also use the suggested frameworks that we have right here. When you scroll down you can see the list of controls that we are running as part of this framework that I chose to scan. And I can see which controls failed, which are not relevant and excluded controls. Another important thing is we see here drifts. You can see how many resources failed and if we had a previous scan we could also see the previous scan. And let's head over to this control right here. This is a failed control on two resources and if I click on it I can see which resources exactly failed on this control. I can also set an exception if I want them to control and I can see the previously failed resources in case I have a second scan. Now I want to fix it so I can just click right here and I get to the siano file and I can see exactly where it failed. So for instance this yellow file failed on this host port and it says that avoid usage of host port unless it's absolutely necessary. So you see a lot of tools out there right now telling you listen your situation is bad. They'll show you lots of red and lots of alerts but Cubescape does even more. We show you why, where and how, why it failed, where it failed and of course how to fix it. So I understand why this specific control failed on this file. What you are seeing now is requiring me to run a cluster. I need to have a running cluster. I will show you in about a few minutes how you can use Cubescape and there's a lot more without running a single cluster. So I can integrate Cubescape into my CICD process. I can configure thresholds. I can define gates for my CICD process. I can tell Cubescape to failed controls can trigger conditions and so on and I can also integrate with GKE, AKS, EKS and also OpenShift. Let's head over back to our Cloud UI and I want to show you right now the next thing is image scanning. This is where we scan and detect different types of open source vulnerabilities and I can filter and sort depending on certain parameters for instance critically only the ones that have fixes and only RCE remote code execution. Let's talk about the RCE. This means that attackers could possibly take advantage of the remote code execution vulnerability which is in some images. This is very important because one of the chances that an attacker will have direct access to the Kubernetes cluster but having this RCE enabled might make the attacker's life even easier and this is something we want to point out so you can fix it quickly. Now let's focus on this for a second. Your YAML files are using different images and might even use different image registries which some are public and you have no control of. Now Cubescape detects which registries you are using from your YAML files and Cubescape allows you to add those registries to an allow list so this will be okay to use this registry. So this registry won't fail in some controls tests. You decide how you want to manage it. Let's talk about the RBAC visualizer. This is the last thing I want to show you before we head over to our new features, the latest features. So the RBAC visualizer is a very powerful tool. It simplifies the way you manage RBAC in your environment which we know is a complex domain in Kubernetes. So in this case I will choose my cluster right here from my list and what I will see is a visualized way of all the RBAC in my environment. I will see roles, I will see services, entities, role bindings and of course it's interactive so I can play and move around so I can see the relationships even better. Now this is nice but actually the RBAC visualizer does even more. One of the things is querying and investigating my RBAC configuration. For instance, let's see the services or entities that are cluster admin which we know this is a sensitive role right. So these are the entities in my environment that has the cluster admin. Let's say I can also want to ask who can delete pods for instance and I can see exactly who can do that in my environment and I can also ask more questions about my users. So after seeing these capabilities of Cubescape, let's head over to our latest features. Let's start with the code repository scan. Cubescape is designed to help you detect misconfiguration scanning at any stage of the software development lifecycle and Cubescape is also, we also talked about it can be integrated with various DevOps tools. So up until this point you had to start a cluster and trigger or schedule scans in order to see the manifest file scan results in the cloud you are. Or you could scan repositories and see the results in the CLI only but today we're happy to announce that Cubescape shifts left even more. Now Cubescape can scan your Kubernetes manifest file at the repository level meaning no need for an active cluster. It means Cubescape is able to inform you with the misconfigurations and potential vulnerabilities even before the code is deployed once. Using the code repository scan capabilities you can see history, you can see trends, you can see fixed suggestions with the system remediation so you can fix issues in a heartbeat without deploying a single workload. You can see right here in this list I have the repositories name, I have the owner of the repositories, the branch of course and the number of files scanned in those repositories. I just want to make sure you see here the frameworks, you can see the number of the names of the frameworks that I ran and of course the failed controls with by severity the critical failed controls, the high failed controls, the medium and of course the low. So the best thing is you can choose between scanning a remote repository or scanning your own local folders. If I drill down into this repository I can see the files that failed, I can see the type of the files, for now it's YAML, I can see the frameworks that scanned this file and I can see how many controls failed on this file. So I can go right here and I see the exact file and where it failed and which controls failed on it and of course the remediation stage. You can see right here that I'm using some image from named Perl and I didn't limit my registry from where I pulled this image. Speaking of images, let's talk about the new feature, the new and exciting feature for image registry scans. Right now you don't need to have a running cluster anymore to scan images for vulnerabilities with the new image registry scan. Cubescape can scan your private and public registries like Docker IO and Kui IO registries even before the images are deployed on a running cluster. So you know the process, you take an image, you add your own dependencies and code, you tag it, and you ship it to your image registry. So right now you don't have to deploy workload or even write a single line of VML file in order to get a list of potential vulnerabilities within your images. This way you'll be able to detect vulnerabilities even earlier in the development process and you can assess a potential use risk when using public images and preventing the vulnerabilities from reaching your deployments and production environment. So you can see right here the list of the image registries that I scanned. You can see the scan time, the registry that was scanned and the repository I can even get granulate with the repository of images inside a registry. And I can see the image tag. Also, of course, I can see the failed controls, how many critical, high, medium, low, and of course the neglectable. So if I click right here, I can see which controls exactly failed on this image. And in this case, I have critical and high. Let's take the critical, for instance, you can see all the critical controls that failed on this image. And of course, you can see the fix available. If there is a fix for it, I will tell you, CubeScape will tell you in which version it was fixed so you can upgrade your version of the image. And remember the RCE from before? We also tell you right here if it's RCE enabled or not. And of course, the description about this specific control. So that's about it. I want to thank you very much for listening. And we would love to keep you in touch. And I welcome you to star us on GitHub, join our Discord, visit our website and learn more about CubeScape and our roadmap ahead. Thank you very, very much.